How Ads Can Give You Malware (and How to Protect Yourself)

Most Internet users don’t need another reason to dislike ad exchanges, which not only serve all kinds of annoying and intrusive ads, but have also been hit with a string of compromises in recent months. But as Russell Brandom reports for The Verge, researchers have found that ad networks can be manipulated to serve malware, which can then infect consumers’ machines.

Malware detection firm Cyphort Labs released a report called “The Rise of Malvertising,” outlining the firm’s research into how cyber criminals can seed malicious advertising into legitimate advertising networks. These advertising networks then deliver those infected ads to popular websites, and visitors to those websites get infected. It may come as a surprise that not only do such “malvertising” campaigns exist, but they’re becoming more common.

Cyphort found that the number of such campaigns rose by 325% in the past year, a figure at which it arrived by sampling Alexa’s top 100,000 most-visited domains and counting how many served infected ads. Brandon notes that even at their highest, the numbers indicate that just a fraction of the sites surveyed were affected, but Cyphort’s researchers are still troubled by the upward trend, which seems to have continued through the year. Cyphort’s researchers write that consumers’ computers can be infected either when they click on a malicious ad, or simply when they visit a site.

These attacks, dubbed “malvertising,” can be launched either by deceptive advertisers or agencies, or by hackers who exploit compromises in the massive ad supply chain (which includes ad networks, ad exchanges, and ad servers). They typically infect computers by exploiting vulnerabilities in Flash.

Publishers unknowingly add a corrupted or malicious advertisement to a web page, and when a user lands on that page, he is automatically redirected to malware. Additionally, attackers often place “clean” ads on trustworthy sites to establish a good reputation, and from there insert malicious code or spyware behind an ad, or employ other tricks to avoid detection while continuing to infect users.

Cyphort notes that a common misconception is that you have to click on a malicious ad to get infected, but that’s actually untrue. Online ads look like an image hosted on a website, but are neither images nor hosted by the website that you’re visiting and probably trust. Instead, ad networks choose which ad to send you, but often rely on your browser to call an ad server to actually get the ad. Combating malvertising is difficult because of how complex the ad supply chain is. Cyphort explains:

When a user visits a website a bidding request among the affiliates of the advertiser is triggered to determine who will get to see metadata about the visiting user. This metadata can include geographical location, browser type and web browsing history. The affiliates then automatically bid on this impression. The highest bidding advertiser gets to display their ad.

It is common practice to outsource the advertising on websites to third-party specialists. These companies re-sell this space, and provide software which allows people to upload their own advertisements, bidding a certain amount of money to ‘win’ the right for more people to see them. The ad networks get millions of ads submitted to them, and any one of those could be malvertising. They try to detect and filter malicious ads from their systems, but it is challenging. The potential damage is high, as ad networks have a very deep reach and can infect many people quickly.

Infected ads can deliver files or even entire programs to your browser, and can be instructed to attack only at particular times or geographies. Even the choice of a hosting site can enable the attacker to target victims by industry or interest, and select individuals by their location and their machine type. Cyphort has found infected ads on highly-trafficked websites, including the Huffington Post and YouTube, which demonstrates that even popular websites that most users trust aren’t immune.

The firm reports that combatting malvertising requires “vigilance and best practices from all parties involved,” including publishers, ad networks, and even Internet users. Cyphort recommends that users avoid “blind”surfing in order to reduce the potential of exposure to infected ads, and also notes that keeping your computer system and security software up to date “will go a long way in protecting you when you do have to venture in the ‘dark night.'”

It’s especially important to stay on top of updates for software that’s easily exploited, like the Adobe Flash Player. Using a browser that can detect websites with malware-infected ads, like Google Chrome, is an important step, as is running a reputable antivirus software to detect and protect against malware. Installing ad-blocking software is another precaution that individual users can, and probably should, take in order to avoid downloading the malware in the first place.